Sudden emergence of an @example.cm email address

Hi!

we use a self-hosted GitLab CE instance that gets regular updates, typically no later than three weeks after a security patch is released.

The server is available on the internet and there are a few public projects. Each of these projects has exactly one maintainer, which is a technical user that has the following properties (or had until a few days ago):

  • regular user (not an admin)
  • a dummy email with this ending: @example.com
  • a personal access token with api scope

The personal access token is used by a job of a private repo to push stuff to one of the public repos.
Recently, this push started to fail with a 401.

Then, we found out that this technical user has a second email ending with @example.cm (TLD of Cameroon). We also found out from the logs that this email obviously was confirmed.

We also found out that the 401 occurs if the user is unconfirmed, but I am not sure when and whether the user was unconfirmed. We’re just trying to reconstruct this timeline from the backups. (not sure if this can be seen in the logs / the DB?)

Is there an explanation for this other than hacking?
And if we got hacked, is there a known vulnerability that might be involved here, maybe one that got closed recently?

Best regards
Reis